John le Carré’s fictional spy George Smiley spent his retirement quietly scouring the secondhand bookshops of Charing Cross looking for rare works of German literature. In real life, though, former spooks are more likely to go searching for more worldly rewards.
A decade ago, former members of Intelligence Unit 8200, the Israeli defence forces outfit responsible for collecting and decrypting signals intelligence, set up a Tel Aviv–based cybertechnology company called NSO Group Technologies. By 2019 the company was valued at approximately US$1 billion. You can buy an awful lot of secondhand books — and quite a few secondhand bookshops, for that matter — with that kind of dough.
The company’s big money-spinner is a digital surveillance technology called Pegasus, which it licenses to governments around the world. Israel has strict rules on exporting this type of spyware, but it has never knocked back a request from NSO to sell its products overseas.
Pegasus is an authoritarian’s dream come true. It can give you secret access to the phone calls, texts, photos and emails of just about anyone with a smartphone. It will track the phone’s location and collect any data it transmits to Facebook, WhatsApp, Skype and other apps. It even allows you to secretly activate a smartphone’s microphones and cameras, turning targets’ phones into bugging devices they carry everywhere with them. I imagine the sales pitch is pretty concise: “Dear Mr Authoritarian, wouldn’t you love to get inside your enemy’s smartphone?”
The existence of Pegasus is no big secret. NSO freely admits it has sixty government agency clients — spies and cops, presumably — in forty countries, but it says its clients are “the good guys,” who use Pegasus to fight terrorism and crime. And anyway, it’s the clients who are responsible for using the spyware, not NSO Group.
Since around 2016, however, tenacious journalists and hardworking watchdog groups have been exposing how NSO’s clients have misused Pegasus. I’m sure you’ll be shocked to learn that some governments have used this cybersurveillance technology to abuse the human rights of reporters and political opponents.
The New York Times reported in 2019, for example, that the Mexican government had used Pegasus not only to capture the drug kingpin El Chapo, but also to track and harass at least two dozen journalists whose work it didn’t like. The same article reported how another client of NSO Group, the United Arab Emirates, used Pegasus to spy on Ahmed Mansoor, a prominent human rights activist. Mansoor was arrested in 2017 by UAE authorities and is serving a ten-year sentence for using social media platforms to “publish false and misleading information.”
Last week, the negative publicity about NSO Group and Pegasus went up a couple of notches. Someone leaked 50,000 phone numbers of potential Pegasus surveillance targets to Forbidden Stories, a Paris-based organisation that safely stores the work of threatened journalists from around the world, and the human rights group Amnesty International.
Following the template established by previous worldwide mega-leaks, including the Panama Papers in 2016, a consortium of seventeen media organisations, including the Washington Post and the Guardian, has been checking and publishing the stories arising from the leak.
At the start, the Pegasus Project had two jobs: to find out who owned these phone numbers, and then to get as many phones as possible into a lab for analysis.
In the end, Amnesty International’s Security Lab was able to forensically analyse sixty-seven smartphones supplied to them by human rights activists and journalists. Amnesty’s boffins found that thirty-seven had either been penetrated or tampered with by Pegasus. As a back-up, Amnesty’s work was peer-reviewed by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs.
Meanwhile, more than eighty journalists working on the project were able to establish that many of the leaked numbers were indeed the real numbers of activists, dissidents, journalists, government officials, politicians and even heads of state (“three presidents, ten prime ministers and a king,” according to the Washington Post).
This looks like strong evidence that at least some NSO clients are misusing NSO Group’s technology. Predictably, the company disputes the claim that the leaked phone numbers are surveillance targets. A lawyer representing the company declared to Forbidden Stories that “the data has many legitimate and entirely proper uses [and has] nothing to do with surveillance or with NSO.”
In a statement to the Pegasus Project, NSO Group said it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations. This includes [the] shutting down of a customer’s system, something NSO has proven its ability and willingness to do… and will not hesitate to do again if a situation warrants.”
Amnesty International’s secretary general, Agnès Callamard, is having none of this. “NSO Group can no longer hide behind the claim that its spyware is only used to fight crime,” she said this week. “It appears that Pegasus is also the spyware of choice for those wanting to snoop on foreign governments.”
The revelations of the Pegasus Project highlighted the need for strong regulation to rein in a wild west surveillance industry, Callamard went on. “States must implement a global moratorium on the export, sale, transfer and use of surveillance equipment until a robust human rights–compliant regulatory framework is in place. The Israeli government should also not authorise licences for the export of NSO Group’s cybersurveillance technology if there is a substantial risk it could be used for human rights violations.”
There are over seven billion people on Earth and five billion of them are attached to their phone as if it’s an extra limb. As the British anthropologist Daniel Miller puts it, “The smartphone is no longer just a device that we use, it’s become the place where we live.” And the NSO Group has created a very efficient crowbar for getting inside. •